Security about serialized object.

Hi all, I am writing a simple client server application. Client application will send a serialized object (an object that implements Serializable interface) to the server. Server will recover the information on this object and do further procesing. Server also send by the same object to client after processing, client will get an update object with more and new information. If client is run via internet, how secured is this architecture? I don't encrypt the object at this point. If serialized object is unsecure, then i may consider to encrypt it before sending via the internet. Thanks.

A serialized object is totally unprotected and insecure. If you need to transfer one over the net or any other untrusted medium, then I would suggest either using a secure channel such as SSL/TLS (using JSSE), or wrapping the object inside a javax.crypto.SealedObject (part of JCE). Both JSSE and JCE are included in J2SDK 1.4, and downloadable as add-ons for earlier versions. - Peter

SoonAnn Lim

Ranch Hand

Posts: 155

posted 16 years ago

Thanks a lot.

All of the world's problems can be solved in a garden - Geoff Lawton. Tiny ad: